GLBA Compliance Requirements

June 30, 2023

GLBA, also known as the Gramm-Leach-Bliley Act, is a federal law that enacted in 1999 to regulate how financial institutions handle the nonpublic personal information (NPI) they collect on their customers and consumers.

NPI is defined as any personally identifiable financial information that is not otherwise publicly available. NPI may include names, addresses, phone numbers, social security numbers, bank and credit card account numbers, credit or debit card purchases, court records from a consumer report, and other sensitive personal information.

The Act applies to a wide range of businesses, including banks, credit unions, securities firms, insurance companies, and other financial service providers. Institutions that violate GLBA face fines of up to $100,000 per violation — and so do individuals. Organizations who do maintain compliance with GLBA, on the other hand, not only avoid financial penalties, but increase trust and loyalty among customers.

GLBA is comprised of three major sections – the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Provisions of GLBA.

Compliance with the Financial Privacy Rule and the Safeguards Rule should always begin with data discovery; that is, understanding the NPI that your organization is collecting, storing, and sharing with third parties, including where it’s located and how it’s being used.

Let’s dive into everything you need to know about the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Provisions of GLBA and how modern data discovery, classification, and remediation techniques can help you comply by ensuring the confidentiality and security of your consumers’ data.

The Financial Privacy Rule

The Financial Privacy Rule is the first section of GLBA that requires financial institutions to inform customers about the collection, use, and sharing of their personal information. The rule mandates that financial institutions provide a privacy notice to customers when they open an account, and annually thereafter.

The privacy notice should disclose the types of information that the financial institution collects about its customers, how it uses that information, and with whom it shares the information.

One of the most significant aspects of the Financial Privacy Rule is data discovery. Financial institutions need to know where all their data is stored, who has access to it, and how it is being used. It is crucial to identify all personal data within the company.

This means that all customers’ data, past, current, or potential ones, will need to be identified and accounted for by the organization.

The Safeguards Rule

The Safeguards Rule is the second part of GLBA. It focuses mainly on information security, mandating that organizations protect the customer information they collect. To comply with the rule, companies must develop a written information security plan that describes how they protect their data.

Many of the Safeguards Rules requirements can be addressed with data discovery, classification, and remediation platforms like Spirion Sensitive Data Platform as follows:

  • Section 314(c)(2) – Creation of a data inventory – Institutions need the ability to accurately and automatically locate NPI in your information ecosystem
  • Section 314.4(b) – Establishment of an information security program – Program requirements include controls implicated by risk assessments and a reporting mechanism that demonstrates the program’s ability to protect NPI.
  • Section 314.4(b) and (c) –
    • Periodically perform risk assessments – Data discovery and reporting are key components of this requirement to understand your institution’s sensitive data risk exposures.
    • Implement safeguards, post risk assessment – Nearly all modern security and privacy laws mandate risk assessments to understand the nature and scope of danger to sensitive and personal data and to implement appropriate safeguards.
  • Section 314(b)(2) – Additional risks assessments to assess the security, confidentiality, and integrity of customer information – Complying with this section requires a proactive approach to monitoring changes in your sensitive data footprint.
  • Section 314.4(c)(3) – Encrypt data at risk – Data discovery and classification can be used to invoke encryption capabilities, as well as quarantine, redact, or shred files based on automated workflows.
  • Section 314(c)(6)(i) – Develop, implement, and maintain procedures for the secure disposal of customer information – Deletion of NPI must be permanent and provable. Spirion’s Workflow and Classification engine enables institutions to conduct automated deletion of files containing NPI or the redaction of NPI elements, according to customizable criteria. Associated reporting provides evidence of compliance with the “secure disposal” requirement. Finally, for information that is exempt from disposal requirements, data classification labels and metadata derived from Spirion identification can be configured to prevent unauthorized erasure per your institution’s policies.
  • Section 314.4(c)(8) – Monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information – Spirion takes a proactive approach to monitoring using Sensitive Data Watcher®, which continuously monitors and reports on NPI as it’s created, copied, edited, sent from an email, extracted from an archive, retrieved from the cloud or enterprise storage, or otherwise modified across an organization’s data landscape.
  • Section 86 FR 70273; 314.4(h) and 314.4(b)(2) – Employ data classification; establish a written incident response plan; Establish and information security program – Key to mitigating or resolving a breach is having policies and procedures in place that implement automatic and persistent data classification, which is the process of analyzing a document or record and applying a label that indicates its sensitivity, who can access, how long it should be protected and retained, how it should be disposed of, and other business context.
  • Section 314.4(i) – Report regularly to the board of directors or other governing body – The ability to demonstrate compliance efforts and successes is key to meeting both obligations to business partners and mandates to regulatory bodies. Spirion SPIglassTM Executive-Level Dashboard enables visualizes of trends in metrics that are impactful at even the highest level of the organization.

The Pretexting Provisions

The final section of GLBA is the Pretexting Provisions, which prohibits financial institutions or any other person from obtaining customer information under false pretenses. Compliance measures include verifying the identity of anyone who seeks access to customer information, and any adverse actions must be investigated and resolved.

How Spirion Helps

Compliance with GLBA and other data privacy mandates requires the identification of all personal data assets, proper security measures in place, and the verification of anyone seeking access to customer data. That’s why Spirion is step one to developing an effective strategy to get your data under control. With Spirion, you gain clarity as to what sensitive data you have and where it is located, control over how your data is stored and used, and confidence that your data is protected.

It all begins with our proven 98.5% accurate discovery that is then enforced through our powerful and purposeful automated classification, and Playbook-based cures and controls.

To help your financial institution stay GLBA compliant and, most importantly, protect the sensitive information of your customers, contact Spirion today for more information or a 1:1 demonstration.